[Bug 956581] Re: Stack Buffer Overflow in HTTP Manager
This bug was fixed in the package asterisk - 1:1.8.10.1~dfsg-1ubuntu1 --- asterisk (1:1.8.10.1~dfsg-1ubuntu1) precise; urgency=low * Merge from Debian unstable. (LP: #987772, #956578, #956580, #956581) * Remaining changes: - debian/asterisk.init: chown /dev/dahdi - debian/backports/hardy: add file - debian/backports/asterisk.init.hardy: add file - Fix building on armhf with debian/patches/armhf-fixes: + Flatten linux-gnueabihf in configure to linux-gnu, in the same way that's already done for linux-gnueabi * Changes dropped from Ubuntu delta as no longer applicable: - debian/patches/backport-r312866.diff: Backported from upstream - debian/control: Build-depend on hardening-wrapper, now handled by dpkg-buildflags - debian/rules: Make use of hardening-wrapper asterisk (1:1.8.10.1~dfsg-1) unstable; urgency=low [ Victor Seva ] * Update backports/squeeze script gmime2.6 - gmime2.4 [ Tzafrir Cohen ] * New upstrean bug-fix release. - Fixes [CVE-2012-1183 - CVE-2012-1184] Asterisk: AST-2012-002 and AST-2012-003 flaws (Closes: #664411). * Patch gmime2.6 (Closes: #663998, #664004), also fixed Build-Depends. * Remove the text of RFC 3951 from the tarball. (Closes: #665937) asterisk (1:1.8.10.0~dfsg-1) unstable; urgency=low [ Tzafrir Cohen ] * New upstrean release. * Build-depend on sqlite3 as well (Closes: #531759). [ Paul Belanger ] * debian/patch/chan_iax2-detach-thread-on-non-stop-exit: - Dropped; merged upstream [ Mark Purcell ] * New Release: - Fixes SHA-1 code is doesn't allow modification (Closes: #643703) - Fixes Placing calls on hold fails with some IP phones (Closes: #632518) - Fixes Pass the correct value to ast_timer_set_rate() for IAX2 trunking. (Closes: #661974) - Fixes Call quality on IAX significantly worse than SIP (Closes: #481702) - Fixes New upstream release: 1.8.2.2 (Closes: #610811) - Fixes asterisk german number pronunciation (Closes: #402991) - Fixes Why using version 1.6.2.9 - it's not LTS (Closes: #612147) - Fixes SRTP/ZRTP support for Asterisk (Closes: #577686) - Fixes fails to register SIP channels on ARM (Closes: #660240) * export CFLAGS LDFLAGS - Fixes Hardening flags missing for menuselect (Closes: #664086) - Fixes enable hardening options (Closes: #542741) asterisk (1:1.8.8.2~dfsg-1) unstable; urgency=high * New upstream release, fixes AST-2012-001 (Closes: #656596). * Use CFLAGS and LDFLAGS from dpkg-buildflags (Closes: #653944). asterisk (1:1.8.8.0~dfsg-1) unstable; urgency=high [ Faidon Liambotis ] * Fix Breaks/Conflicts to contain the epoch. * Urgency high since this resulted in file conflicts when upgrading from stable. * Patch reenable-pri-optional: Backport a patch from upstream to fix several PRI features being compiled-out and hence disabled. * Bump libpri-dev dependency to 1.4.12; it is not strictly needed but extra functionality is enabled at build-time. [ Tzafrir Cohen ] * New upstream release. Closes: #651552. - Patch reenable-pri-optional dropped: included upstream. * Officially remove asterisk-h323: - Break older versions, as it did not have a versioned Depends before. - Remove the package. * Update watch file to only check for 1.8.x tarballs. * Quote pathes in postinst script: Closes: #656208 (Pocos). asterisk (1:1.8.7.1~dfsg-2) unstable; urgency=low * libncurses is a build dep afterall (Closes: #649431). asterisk (1:1.8.7.1~dfsg-1) unstable; urgency=high [ Tzafrir Cohen ] * New upstream release (Closes: #647252): - Patch refix_bashism removed: applied upstream. - Patch openssl10 removed: applied upstream. - Patch gmime-2.4 removed: applied upstream. - Patch gcc46 removed - was a backport from upstream. * Disable chan_h323: broken with current h323plus, and not loved by upstream. * Patch chan_iax2-detach-thread-on-non-stop-exit: Hopefully plugs a memory leak. * Patch reinclude_docs: a copy of the included documentation that was removed. * Patch sparc32_disable: Remove pointless optimization for sparc64 [ Paul Belanger ] * Bump libpri-dev to 1.4.11. * Ensure sub-packages with asterisk modules are the same version as the binary. -- Andrew Mitchell ajmi...@ubuntu.com Tue, 24 Apr 2012 22:15:54 +1200 ** Changed in: asterisk (Ubuntu) Status: Incomplete = Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-1183 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-1184 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/956581 Title: Stack Buffer Overflow in HTTP Manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/956581/+subscriptions -- Ubuntu-server-bugs mailing list
[Bug 956581] Re: Stack Buffer Overflow in HTTP Manager
This bug was fixed in the package asterisk - 1:1.8.10.1~dfsg-1ubuntu1 --- asterisk (1:1.8.10.1~dfsg-1ubuntu1) precise; urgency=low * Merge from Debian unstable. (LP: #987772, #956578, #956580, #956581) * Remaining changes: - debian/asterisk.init: chown /dev/dahdi - debian/backports/hardy: add file - debian/backports/asterisk.init.hardy: add file - Fix building on armhf with debian/patches/armhf-fixes: + Flatten linux-gnueabihf in configure to linux-gnu, in the same way that's already done for linux-gnueabi * Changes dropped from Ubuntu delta as no longer applicable: - debian/patches/backport-r312866.diff: Backported from upstream - debian/control: Build-depend on hardening-wrapper, now handled by dpkg-buildflags - debian/rules: Make use of hardening-wrapper asterisk (1:1.8.10.1~dfsg-1) unstable; urgency=low [ Victor Seva ] * Update backports/squeeze script gmime2.6 - gmime2.4 [ Tzafrir Cohen ] * New upstrean bug-fix release. - Fixes [CVE-2012-1183 - CVE-2012-1184] Asterisk: AST-2012-002 and AST-2012-003 flaws (Closes: #664411). * Patch gmime2.6 (Closes: #663998, #664004), also fixed Build-Depends. * Remove the text of RFC 3951 from the tarball. (Closes: #665937) asterisk (1:1.8.10.0~dfsg-1) unstable; urgency=low [ Tzafrir Cohen ] * New upstrean release. * Build-depend on sqlite3 as well (Closes: #531759). [ Paul Belanger ] * debian/patch/chan_iax2-detach-thread-on-non-stop-exit: - Dropped; merged upstream [ Mark Purcell ] * New Release: - Fixes SHA-1 code is doesn't allow modification (Closes: #643703) - Fixes Placing calls on hold fails with some IP phones (Closes: #632518) - Fixes Pass the correct value to ast_timer_set_rate() for IAX2 trunking. (Closes: #661974) - Fixes Call quality on IAX significantly worse than SIP (Closes: #481702) - Fixes New upstream release: 1.8.2.2 (Closes: #610811) - Fixes asterisk german number pronunciation (Closes: #402991) - Fixes Why using version 1.6.2.9 - it's not LTS (Closes: #612147) - Fixes SRTP/ZRTP support for Asterisk (Closes: #577686) - Fixes fails to register SIP channels on ARM (Closes: #660240) * export CFLAGS LDFLAGS - Fixes Hardening flags missing for menuselect (Closes: #664086) - Fixes enable hardening options (Closes: #542741) asterisk (1:1.8.8.2~dfsg-1) unstable; urgency=high * New upstream release, fixes AST-2012-001 (Closes: #656596). * Use CFLAGS and LDFLAGS from dpkg-buildflags (Closes: #653944). asterisk (1:1.8.8.0~dfsg-1) unstable; urgency=high [ Faidon Liambotis ] * Fix Breaks/Conflicts to contain the epoch. * Urgency high since this resulted in file conflicts when upgrading from stable. * Patch reenable-pri-optional: Backport a patch from upstream to fix several PRI features being compiled-out and hence disabled. * Bump libpri-dev dependency to 1.4.12; it is not strictly needed but extra functionality is enabled at build-time. [ Tzafrir Cohen ] * New upstream release. Closes: #651552. - Patch reenable-pri-optional dropped: included upstream. * Officially remove asterisk-h323: - Break older versions, as it did not have a versioned Depends before. - Remove the package. * Update watch file to only check for 1.8.x tarballs. * Quote pathes in postinst script: Closes: #656208 (Pocos). asterisk (1:1.8.7.1~dfsg-2) unstable; urgency=low * libncurses is a build dep afterall (Closes: #649431). asterisk (1:1.8.7.1~dfsg-1) unstable; urgency=high [ Tzafrir Cohen ] * New upstream release (Closes: #647252): - Patch refix_bashism removed: applied upstream. - Patch openssl10 removed: applied upstream. - Patch gmime-2.4 removed: applied upstream. - Patch gcc46 removed - was a backport from upstream. * Disable chan_h323: broken with current h323plus, and not loved by upstream. * Patch chan_iax2-detach-thread-on-non-stop-exit: Hopefully plugs a memory leak. * Patch reinclude_docs: a copy of the included documentation that was removed. * Patch sparc32_disable: Remove pointless optimization for sparc64 [ Paul Belanger ] * Bump libpri-dev to 1.4.11. * Ensure sub-packages with asterisk modules are the same version as the binary. -- Andrew Mitchell ajmi...@ubuntu.com Tue, 24 Apr 2012 22:15:54 +1200 ** Changed in: asterisk (Ubuntu) Status: Incomplete = Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-1183 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-1184 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/956581 Title: Stack Buffer Overflow in HTTP Manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/956581/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com
[Bug 956581] Re: Stack Buffer Overflow in HTTP Manager
Unsubscribing ubuntu-security-sponsors for now. Please resubscribe once there is something to review. Thanks! -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/956581 Title: Stack Buffer Overflow in HTTP Manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/956581/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 956581] Re: Stack Buffer Overflow in HTTP Manager
(also unsubscribed ubuntu-sponsors; feel free to add it again too, when ready) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/956581 Title: Stack Buffer Overflow in HTTP Manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/956581/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 956581] Re: Stack Buffer Overflow in HTTP Manager
Unsubscribing ubuntu-security-sponsors for now. Please resubscribe once there is something to review. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/956581 Title: Stack Buffer Overflow in HTTP Manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/956581/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 956581] Re: Stack Buffer Overflow in HTTP Manager
(also unsubscribed ubuntu-sponsors; feel free to add it again too, when ready) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/956581 Title: Stack Buffer Overflow in HTTP Manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/956581/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 956581] Re: Stack Buffer Overflow in HTTP Manager
** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/956581 Title: Stack Buffer Overflow in HTTP Manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/956581/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 956581] Re: Stack Buffer Overflow in HTTP Manager
Hi Paul, When compiling with your added patches, a new compiler warning pops up: +chan_sip.c: In function 'parse_register_contact': +chan_sip.c:13312:2: warning: implicit declaration of function 'parse_uri_legacy_check' [-Wimplicit-function-declaration] greping through the source, I don't see parse_uri_legacy_check() referenced anywhere except in debian/patches/AST-2011-012.diff ; is this actually correct? Was this function added after 1.8.4.4? I've updated your debdiff to include DEP-3 references and CVE references in the changelog, it's attached. If you end up re-submitting, can you please base off it? Thanks. ** Patch added: Updated asterisk debdiff https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/956581/+attachment/2918077/+files/asterisk_1.8.4.4%7Edfsg-2ubuntu5.debdiff ** Changed in: asterisk (Ubuntu) Status: Confirmed = Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/956581 Title: Stack Buffer Overflow in HTTP Manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/956581/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 956581] Re: Stack Buffer Overflow in HTTP Manager
Odd, I don't remember seeing that when I compiled. Let me try test the patch and make any changes. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/956581 Title: Stack Buffer Overflow in HTTP Manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/956581/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 956581] Re: Stack Buffer Overflow in HTTP Manager
** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/956581 Title: Stack Buffer Overflow in HTTP Manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/956581/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 956581] Re: Stack Buffer Overflow in HTTP Manager
Hi Paul, When compiling with your added patches, a new compiler warning pops up: +chan_sip.c: In function 'parse_register_contact': +chan_sip.c:13312:2: warning: implicit declaration of function 'parse_uri_legacy_check' [-Wimplicit-function-declaration] greping through the source, I don't see parse_uri_legacy_check() referenced anywhere except in debian/patches/AST-2011-012.diff ; is this actually correct? Was this function added after 1.8.4.4? I've updated your debdiff to include DEP-3 references and CVE references in the changelog, it's attached. If you end up re-submitting, can you please base off it? Thanks. ** Patch added: Updated asterisk debdiff https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/956581/+attachment/2918077/+files/asterisk_1.8.4.4%7Edfsg-2ubuntu5.debdiff ** Changed in: asterisk (Ubuntu) Status: Confirmed = Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/956581 Title: Stack Buffer Overflow in HTTP Manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/956581/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 956581] Re: Stack Buffer Overflow in HTTP Manager
Odd, I don't remember seeing that when I compiled. Let me try test the patch and make any changes. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/956581 Title: Stack Buffer Overflow in HTTP Manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/956581/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs